routing issues

dave dave · ‎10-26-2011

hi! I've an issue with vpn user connected to our network, and not able to reach certain segment (172.1.1.0/24 which is in HQ).
I can reach 172.1.1.0/24 and all other networks from within our LAN itself, but not the remote vpn users. I've attached a diagram and i've the route
below configured on the fw1 and the core 1 switch, when i do a traceroute to 172.1.1.0/24 from the remote laptop, it will stop at 10.10.11.1.
firewall rule has allowed traceroute and icmp. Any idea what;s wrong? thx

fw1

ip route 172.1.1.0/24 thru 10.10.10.1
ip route 10.10.0.0/16 thru 10.10.10.1
ip route 10.11.5.0/24 thru 10.10.11.2

c1
got the 172.1.1.0/24 thru OSPF E2
ip route 0.0.0.0 0.0.0.0 thru 10.10.10.4
ip route 10.10.0.0 255.255.0.0 10.10.10.3 200
ip route 10.11.5.0 255.255.255.0 thru 10.10.10.1

running ospf for all the 10.10.0.0/16 segment

Vaibhava Varma · ‎10-26-2011

Hi Dave

Where is the IP 10.10.10.1 configured ? What is the Ethernet WAN shown in diag. Is it an L3 Switch configured with SVI for 10.10.10.0/24 Subnet and 10.10.10.1 IP.

How about the trace to 172.1.1.0/24 segment from FW/C1 and the GW 10.10.10.1 itself ? Does that works ?

Regards

Varma

dave dave · ‎10-27-2011

hi! Vama, 10.10.10.1 is the wan vlan's gateway in the L3 core 1 switch. Yes that's right it;s a svi.

trace from C1 to 172.1.1.0/24 works without any issue.

Vaibhava Varma · ‎10-27-2011

Hi Dave

I was wondering how come on c1 we are able to define the static route towards destination with GW as Self IP. We must have defined exit interface as next hop . Is that correct ?

Now leaving that point and coming back to the issue in question trace from c1 to destination subnet 172.1.1.0/24 is through which means the issue lies between FW to C1 as the trace from remote user laptop reaches till FW IP

10.10.11.1.. So from routing perspective the rempte user packet is able to reach till FW and c1 (which is the GW) can reach the destination. So the issue from my understanding is being isolated to be between FW and c1.

Does the trace from FW to 172.1.1.0/24 succeeds or not ? Can you double check the FW Policies and relevant logs when the user issues a traceroute whether we are getting the packets out of FW or not and whether any icmp reply back from FW. The FW is doing plain routing for the VPN subnet based on policies...Is that correct ?

Regards

Varma

dave dave · ‎10-31-2011

Hi the understating is correct on yr second paragraph. Neither can I ping nor trace route from the fw itself? Just to understand, if I can ping/trace route fr the fw itself does that meant the issue lies with the fw rule? Thx

Sent from Cisco Technical Support iPad App

Vaibhava Varma · ‎10-31-2011

Hi Dave

Yes I would double check on the FW Rules to eliminate any policy control related issues.

Regards

Varma

fb_webuser · ‎10-26-2011

buddy... kindly share all ACL and VPN configuration.

---

Posted by WebUser Kailash Suthar

mvsheik123 · ‎10-26-2011

In addition, pls check if those networks are in VPN users split tunnel list.

Thx

MS

Kishore Chennupati · ‎10-26-2011

Hi,

You need to compare your split tunnel ACL and your routing table on the FW. You should also ensure that these networks(DMZ's etc) can route traffic back to the vpn pool if you want the vpn pool to access those networks.

Also, make sure to allow traffic on ACL from relevant subnets.i.e on your firewall (inside) interface which is 10.10.10.4 , make sure to allow the traffic coming from 172.1.1.0/24.to the VPN pool (10.11.5.0/24).

HTH

Regards

Kishore